Improve password handling (#1)

README.md

@@ -93,7 +93,7 @@ URL for the actual budget server, without a trailing `/`
 
 ### ACTUAL_BUDGET_PASSWORD
 
-Password for the actual budget server. Single quotes must be escaped with a backslash. Double quotes, spaces, backslashes and the dollar symbol will break the script at present, so change your password if it has those symbols in it.
+Password for the actual budget server. If you're setting this through the docker-compose file, Single quotes must be escaped with by doubling them up. e.g. if your password is `SuperGo'oodPassw\ord"1` you would enter `ACTUAL_BUDGET_PASSWORD: 'SuperGo''oodPassw\ord"1'`. If you're using the env file method, you will need to work out your own way to encode your password without breaking the env file.
 
 ### ACTUAL_BUDGET_SYNC_ID
 

docs/getting-started.md

@@ -32,7 +32,7 @@ Next you need to tell the container how it's going to talk to your Actual server
 
 `ACTUAL_BUDGET_URL` - First, set the url of the Actual Server, including the protocol, (and the port if applicable) (NB: Do NOT add a trailing / to this. e.g. `ACTUAL_BUDGET_URL: 'https://acutal.example.com'` will work, but `ACTUAL_BUDGET_URL: 'https://acutal.example.com/'` will not)
 
-`ACTUAL_BUDGET_PASSWORD` - Second, you need to put the password for your budget. (NB: If your password contains any singly quotes (`'`), you need to escape them e.g. if your password was `123Super'Password` you would need to enter `ACTUAL_BUDGET_PASSWORD: '123Super\'Password'`. If your password contains any of `"`, `$`, or `\`; change it so it doesn't. It's possible to make that work, but it's painful.)
+`ACTUAL_BUDGET_PASSWORD` - Second, you need to put the password for your budget. (NB: If your password contains any single quotes (`'`), you need to escape the by doubling them up e.g. if your password was `123Super'Password` you would need to enter `ACTUAL_BUDGET_PASSWORD: '123Super''Password'`.
 
 `ACTUAL_BUDGET_SYNC_ID` - Finally, this identifies the budget on the server. To get this ID, open Actual in your web browser, and go to `Settings`. At the bottom, click `Show advanced settings`, and the `Sync ID` should be in the top section there.
 

scripts/backup.sh

@@ -12,12 +12,18 @@ function backup_file_name () {
     BACKUP_FILE_ZIP="backup/backup.$1.${NOW}.zip"
 }
 
+function prepare_login_json() {
+    (printf '%s\0%s\0' "loginMethod" "password" && printf '%s\0%s\0' "password" "${ACTUAL_BUDGET_PASSWORD}") | jq -Rs 'split("\u0000") | . as $a 
+                  | reduce range(0; 2) as $i 
+                  ({}; . + {($a[2*$i]): ($a[2*$i + 1])})' > /tmp/login.json
+}
+
 function download_actual_budget() {
-    color blue "Downloading Actual Budger backup"
+    color blue "Downloading Actual Budget backup"
     color green "Login into Actual Budget" 
-
-    local TOKEN="$(curl -s --location "${ACTUAL_BUDGET_URL}/account/login" --header 'Content-Type: application/json' --data-raw "{\"loginMethod\": \"password\",\"password\": \"${ACTUAL_BUDGET_PASSWORD}\"}"  | jq --raw-output '.data.token')"
-
+    prepare_login_json
+    local TOKEN="$(curl -s --location "${ACTUAL_BUDGET_URL}/account/login" --header 'Content-Type: application/json' --data @/tmp/login.json  | jq --raw-output '.data.token')"
+    rm /tmp/login.json
     for ACTUAL_BUDGET_SYNC_ID_X in "${ACTUAL_BUDGET_SYNC_ID_LIST[@]}"
     do
         color green "Get file id for ${ACTUAL_BUDGET_SYNC_ID_X}"

scripts/includes.sh

@@ -199,8 +199,8 @@ function init_actual_env(){
 
     get_env ACTUAL_BUDGET_SYNC_ID
 
-    if [[ -z "${!ACTUAL_BUDGET_SYNC_ID}" ]]; then        
-        colot red "Invalid sync id"
+    if [[ -z "${ACTUAL_BUDGET_SYNC_ID}" ]]; then        
+        color red "Invalid sync id"
         exit 1
     fi